Re: lockaccount flag in userAccountControl does not change
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 25 Nov 2005 20:17:24 -0600
Both .NET 1.x and .NET 2.0 have support for reading LDAP directories via the
System.DirectoryServices namespace. .NET 2.0 adds more features and the
S.DS.ActiveDirectory and S.DS.Protocols namespace.
Neither has explicit support for dealing with lockout though.
The IADsUser interface in ADSI attempts to support it, but it has a
shortcoming that can lead to false positives. The issue is that it simply
checks to see if lockoutTime has a value or not and assumes the account is
locked if it does. Unfortunately, the DS doesn't automatically nullify the
value once the account is unlocked, so the value might stay populated for a
while after the account is unlocked.
Lockout status is more complex than disabled status because it is highly
configurable in AD, with the number of failure attempts and lockout time
being set at the domain level. That's why you can't just check a bit to see
if the account is locked.
IADsUser is also not really good to use for searching for locked accounts as
it requires that each user in the directory be enumerated.
If you are interested in .NET, Ryan Dunn has a nice C# article on his blog
(www.dunnry.com) that shows samples for finding locked accounts.
Joe K.
"BedSmoker" <BedSmoker@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:751BCD33-1AC2-42D2-911B-CA352C04CE94@xxxxxxxxxxxxxxxx
> Thank you for your answer Tony. I have heard that there are some software
> that manages to let one view locket out accounts.
>
> The tricky part for me is that I use business rules to retrive and modify
> properties in Active Directory. It's required by the solution that I'm
> workin
> on.
> One other way that struck my mind is to run a saved query in AD and then
> populate a group with the users that come as a result from the query. This
> didn't work either.
>
> Its really strange that one can't determine if a user account is locked
> out
> in the same way that one can determine if the account is enabled/disabled.
>
> I've read some about .NET 2.0 and that one could type managed code to
> retrieve data from the AD..?
> --
> tnx
> //BedSmoker
>
> "Tony Murray" wrote:
>
>> Finding the lockout status is a tricky one. You can run an LDAP query to
>> find all the users that have a populated lockoutTime attribute, but this
>> won't give you the whole picture. If there is a value it would find all
>> the
>> locked out users, but would also find those accounts that have become
>> unlocked and have yet to log in.
>>
>> An easy way to view the lockout status is to use the unlock utility from
>> joeware.net with the -view option. For more information on unlock, see
>> the
>> link below.
>>
>> http://www.joeware.net/win/free/tools/unlock.htm
>>
>> Tony
>> www.activedir.org
>>
>> "BedSmoker" wrote:
>>
>> > I use userAccountControl to identify if an account is enabled or
>> > disabled by
>> > looking at the flag (bit) that corresponds to that property. So far so
>> > good.
>> >
>> > Reading the article:
>> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 I
>> > understand
>> > that lockaccount propery is also supposed to be represented in the
>> > userAccountControl.
>> >
>> > My problem is that the lockout flag doesn't change when an account is
>> > locked
>> > out. It always stays the same. Does anyone know how I can solve this?
>> >
>> > --
>> > tnx
>> > //BedSmoker
.
- Prev by Date: Re: GPInventorydotEXE [WILDPACKET]
- Next by Date: Re: Questions about the Computer Browser service
- Previous by thread: Re: GPInventorydotEXE [WILDPACKET]
- Next by thread: AD trouble
- Index(es):
Relevant Pages
|
Loading
